Closed nharper closed 4 months ago
dennisjackson
commented
4 months ago The relevant EU regulation is the Cyber Resilience Act, which I linked in the document was only proposed in 2020. Regulation 2019/1020 dates from... 2019... and is completely unrelated.
I agree that updates being available does not imply that users will apply those updates.
nharper
commented
4 months ago The link in the document is to https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act. On that page, the second paragraph starts with "The Cyber Resilience Act (CRA)", and links to https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act. That page has a link "Access the Cyber Resilience Act in all EU official languages", and when I follow that link I end up with a page "Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020".
That page has the text I refer to. It appears I misquoted it as regulation 2019/1020 when it is an amendment, but my point remains that it only requires updates for 5 years:
When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.
dennisjackson
commented
4 months ago Ah I see where you've gone wrong, EU lawmaking is fairly byzantine.
The CRA was proposed as new text to be inserted into regulation 2019/1020 which has nothing to do with cybersecurity per se, just general market regulation. The text you're linking now is the original 2022 proposal from the Commission. It's changed quite a bit since then. You can read the final version of it, that was voted into law a few months ago, here.
You will be happy to read:
(57) One of the most important measures for users to take in order to protect their products with digital elements from cyberattacks is to install the latest available security updates as soon as possible. Manufacturers should therefore design their products and put in place processes to ensure that products with digital elements include functions that enable the notification, distribution, download and installation of security updates automatically, in particular in the case of consumer products
(60) For the purpose of ensuring the security of products with digital elements after their placing on the market, manufacturers should determine support periods, which should reflect the time the product with digital elements is expected to be in use. In determining a support period, a manufacturer should take into account in particular reasonable user expectations, the nature of the product, as well as relevant Union law determining the lifetime of products with digital elements. Manufacturers should also be able to take into account other relevant factors. Criteria should be applied in a manner that ensures proportionality in the determination of the support periods. Upon request, a manufacturer should provide market surveillance authorities with the information that was taken into account to determine the support period of a product with digital elements.
(61) The support period for which the manufacturer ensures the effective handling of vulnerabilities should be no less than five years, unless the lifetime of the product with digital elements is less than five years, in which case the manufacturer should ensure the vulnerability handling for that lifetime. Where the time the product with digital elements is reasonably expected to be in use is longer than five years, as is often the case for hardware components such as motherboards or microprocessors, network devices such as routers, modems or switches, as well as software, such as operating systems or video-editing tools, manufacturers should accordingly ensure longer support periods. In particular, products with digital elements intended for use in industrial settings, such as industrial control systems, are often in use for significantly longer periods of time.
(63) the Commission should be able to adopt delegated acts to specify minimum support periods for specific product categories where the data provided by market surveillance authorities suggests that the support periods determined by manufacturers are either systematically not in line with the criteria for determining the support periods as laid down in this Regulation or that manufacturers in different Member States unjustifiably determine different support periods.
As I said, lifetime support :-).
nharper
commented
4 months ago Thanks for providing that link. I see two easy editorial changes to make to the usecases doc based on reading that:
I still disagree with the conclusion that the result of this regulation makes handling older clients not a problem in the future. The manufacturer determines the support period, and there will always be people who use devices past when the manufacturer expects.
Neither EU regulation 2019/1020 nor the UK PSTI Act (2022) require this. The EU regulation only requires 5 years of security updates (Chapter II, Article 10, obligation 6). The UK PSTI Act specifies no minimum time period in which manufacturers must provide security updates; it merely requires that manufacturers be transparent on the minimum time period in which products will receive security updates.
The claim that "this issue [...] will not be a problem in the future" relies on this legislation somehow resulting in all devices receiving updates for an indefinite period of time until all users stop using those devices. I do not see that as the outcome of that legislation. First, the legislation requires updates for 5 years maximum. The legislation also doesn’t require that devices get automatically updated and instead can rely on users installing updates. From our experience with auto-updating web browsers, we know that there are still clients that don’t get updated. There is no reasonable way to conclude from this legislation that device updates are a solved problem.